New Combinator Password Cracking Methods

While doing a security assessment a password hash was recovered using responder.py, we then attempted to crack the hash using Hashcat and the hate_crack script and failed to recover this hash. We were later successful in getting domain admin level access using another method and using CrackMapExec we were able to use Mimikatz to recover the clear text password from the memory of the user’s computer. We found that it consisted of two words separated by a number and was 12 characters long. It didn’t fit any of the Pathwell Top 100 Mask Brute Force Crack methods. The mask was ?u?u?d?l?l?l?l?l?l?l?l?l

This is a very common and logical pattern that many people use.

I could just add this mask to the existing Pathwell masks, and this would work taking about 3 days with 4 Nvidia Geforce GTX 1080s. But it would be more efficient to use a modified combinator attack, which would work in many more instances. Hashcat allows you to add a rule to each side of the combinator attack using the -j and -k flags, this allows you to append a character to each side of the combinator attack. As far as I can tell though there is no way to simulate a mask with one run, so I added two new methods to the hate_crack script. The first method I am calling the Middle combinator attack.It is simple:

Dict1 + masks + Dict2

Where the masks are: 2 4 <space> – _ , + . &

I chose these as I have found these are common characters to separate two words.

The second method I am calling the Thorough Combinator Attack. It runs through many different combinator attacks using different masks. Currently, it uses the following methods: